CVE-2025-59471
Unknown Unknown - Not Provided
Denial of Service in Next.js Image Optimizer via Large Remote Images

Publication date: 2026-01-26

Last updated on: 2026-02-13

Assigner: HackerOne

Description
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59471
EUVD
EUVD-2025-206334
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vercel next.js From 10.0.0 (inc) to 15.5.10 (exc)
vercel next.js From 16.0.0 (inc) to 16.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service issue in self-hosted Next.js applications that use the Image Optimizer with `remotePatterns` configured. The image optimization endpoint (`/_next/image`) loads external images fully into memory without limiting their size. An attacker can exploit this by requesting optimization of very large images from allowed external domains, causing the application to run out of memory and become unavailable.

Impact Analysis

The vulnerability can cause denial of service by exhausting the application's memory resources when processing large images from external domains. This can lead to application crashes or unavailability, impacting the reliability and availability of your Next.js application.

Mitigation Strategies

To mitigate this vulnerability, strongly consider upgrading your Next.js application to version 15.5.10 or 16.1.5, which include fixes to reduce risk and prevent availability issues caused by this denial of service vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart